问题描述
我重构了一些旧代码,并试图理解 headers
好一点。
在
现在我理解了'为什么',但是当
$ b
$当点击取消按钮时,我的当前页面被重新导向。
我存储请求的页面以及会话变量中的值允许我这样做:
if(isset($ _ SESSION ['searchPage'])){
header('Location:searchForm.php?ticket ='。$ _ SESSION ['product']。'& searchbtn = Search');
exit();
}
然而,为了使这个工作在显示页面中,我不得不使用 ob_start()
。
为了避免这种解决方法,我发现我可以通过javascript重定向:
if(isset($ _ SESSION ['searchPage'])){
echo'< script> window.location =searchForm.php?产物= [产物 '] '&安培$ _ SESSION。'; searchbtn =搜索;< /脚本>';
exit();
}
现在回答我的问题
- 哪种方法更好或可以接受?
- 我似乎无法想象如何在没有输出发送的情况下设计我的页面在使用
header()
之前。如果按钮点击事件导致重定向,那么如何在不使用ob_start()
?
首先,你可能想要阅读更多关于重定向使用
头
。而不是仅仅设置 header('Location:...');
,使用以下代码重定向: header('HTTP / 1.1 301永久移动');
header('Location:searchForm.php?ticket ='。$ _ SESSION ['product']。'& searchbtn = Search');
301重定向通常对搜索引擎优化更好,大多数浏览器都会缓存重定向,因此客户端历史记录堆栈将更可靠,这对于可能使用历史记录的JS脚本来说是个好消息...
- 哪种方法更好?
PHP。仅依靠JS来重定向客户端并不是一个好主意。客户端可能会关闭你的脚本,或者如果JS代码中出现一些错误,重定向将不起作用。一些青少年可能会觉得你的代码搞乱了,并且在你的网站上发现了可能存在的安全问题。
2。如何使用 ob _ *
,或者如何使用 header
而不用 ob _ *
$ b
只需使用开始输入脚本(
调用,以确保。也许使用 index.php
), ob_start() ob_implicit_flush(true)
来隐式地刷新输出缓冲区。但更重要的是,只需在设置好标头后立即调用 ob_flush()
。
或者使用像Symfony2和/或ZendFW这样的框架进行研究。处理重定向的代码已经为你写了很多次,为什么不使用它?
如果你想避开输出缓冲,也许你可能想要考虑遵循某些模式或设计原则(如MVC,IPO等),并将代码写入(+ - )总是请按照以下顺序来处理业务:
在处理完请求后,您可以重定向,并且由于您甚至不接近呈现输出,更不用说发送标题了,您可以安全地重定向或设置标题... b
$ b
更新: b //google-gruyere.appspot.com/rel =nofollow>格鲁耶尔在XSS攻击方面有特殊的地位您可能想要阅读......尽管该文档的主要内容是,我相信,如何安全地使用mashup(实际上是真正的XSS注入)。无论如何,他们在解释为什么以及如何使用JS来破坏任何Web应用程序的安全方面做得更好。
I'm refactoring some old code and trying to understand headers
a bit better.
I read an awesome answer in the following post on No output before sending headers!Now I understand the 'why' but when it comes to implementation Its still a bit fuzzy.
My current page redirects back when the cancel button is clicked with the value searched.
I store the page the request was made from and the value in session variables allowing me to do this:
if (isset($_SESSION['searchPage'])){
header('Location:searchForm.php?ticket='.$_SESSION['product'].'&searchbtn=Search');
exit();
}
However to make this work in the display page I had to to use ob_start()
.
To avoid this workaround I found that I could redirect via javascript:
if (isset($_SESSION['searchPage'])){
echo '<script>window.location="searchForm.php?product='.$_SESSION['product'].'&searchbtn=Search";</script>';
exit();
}
Now to my questions
- Which method is better or acceptable?
- I can't seem to think of a way to design my page in such away where no output is sent before using
header()
. If a button click event causes redirection how do you handle redirection in php without usingob_start()
?
edit
First and foremost, you might want to read up some more on redirecting using header
. Instead of just setting header('Location:...');
, redirect using the following code:
header ('HTTP/1.1 301 Moved Permanently');
header('Location:searchForm.php?ticket='.$_SESSION['product'].'&searchbtn=Search');
A 301 redirect is generally better for SEO, and most browsers will cache the redirect, so the client history stack will be more reliable, which is good news for the JS scripts that might use the history...
- Which is the better approach?
PHP. Relying solely on JS for redirecting the client is not a great idea. Clients might turn of your script, or if some error creeps in the JS code, the redirection won't work. Some borred teen might feel like messing with your code, and find possible security issues in your site.
2. How to use ob_*
, or how to use header
without ob_*
?
Just start your entry script (index.php
) with an ob_start()
call, to make sure. Perhaps use ob_implicit_flush(true)
, to implicitly flush your output buffer. But more importantly, just call ob_flush()
right after setting your headers.
Alternatively look into using a framework like Symfony2 and/or ZendFW. Code to handle redirects has been written for you many times, why not use it?
If you want to steer clear of output buffering, perhaps you might want to consider following certain patterns, or design principles (like MVC, IPO and the like) and write your code to (+-) always follow this order to take care of business:
- Get the request
- Process data from request, determine what data client is asking for
- structure data
- render page
- send response
Right after you've processed the request, you'll be able to redirect, and since you're not even close to rendering the output, let alone sending the headers, you're safe to redirect and or set the headers...
Update:
Just a link in response to your follow-up question Gruyere has a special secion on XSS attacks you might want to read... Though the main purpouse of the document is, I believe, how to safely use mashups (which are actually bonafide XSS injections). Anyway, they do a far better job at explaining why and how JS can be used to undermine security of any webapp.
这篇关于我应该通过PHP还是Javascript来处理重定向?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!